The Tinfoil Security Website Scanner routinely scans your website for vulnerabilities, alert you with what it finds, and tell you how to fix it. It is also affordable, scanning you regularly for a low monthly fee and sending actionable reports right to your inbox. Tinfoil Security prides itself on being the most usable security solution, making it easy to find holes in your website and helping you fix them without hiring an expensive consultant.

Once the Tinfoil Security Website Scanner is added, a TINFOILSECURITY_SCAN_SCHEDULE setting becomes available in the app configuration and contains the proposed scanning schedule. Initially the config is listed as “PENDING” while your application continues to be automatically configured.

Just a few minutes after installing the Tinfoil Security Website Scanner add-on your application is automatically configured to integrate with the scanner. You can check on the process by running the heroku config:get command again and waiting until a scanning schedule is automatically assigned. You can change this schedule via the Tinfoil Security dashboard. You may log into the dashboard via one of the methods here.

$ heroku config:get TINFOILSECURITY_SCAN_SCHEDULE
Weekly on Thursdays

Getting Scanned

The Tinfoil Security Website Scanner works on all types of programming languages and web frameworks. A scan is automatically initiated based on the schedule that was proposed or that you customize on the Tinfoil Security Dashboard. Once the scan finishes you are emailed the results and Tinfoil Security lets you know if there’s anything you can do to get more secure!

Changing Your Schedule and Configuring the Scan

If you’d prefer to be scheduled at a separate time or change a setting like the number of requests per second the scanner scans your website with you can do so from the Tinfoil Security Dashboard. Log into the dashboard via one of the methods here.

The URL for the scan is automatically determined from your heroku configuration and cannot be changed. If you use Heroku Custom Domains we will attempt to scan the first listed domain.

The Scan Schedule dictates when automatic scans will be run. All times are calculated in United States Pacific Time. If you prefer to only scan manually you may select “Manually Scan” here. If you’d prefer to be scanned more frequently, you may need to first upgrade your plan.

The Request Rate dictates the maximum requests per second the scanner will use to scan your website. Scans finish faster at a higher request rate, but you may need more dynos to support the additional traffic. In addition, the scanner backs off its request rate dynamically if your website appears to slow down significantly. Updating the Request Rate during a running scan affects it immediately, in real-time.

The Software Stack allows you to indicate a bit more about the software you use on your website. This allows the scanner to customize results and provide the most relevant step-by-step fixes. It is highly recommended to provide information about what software you run and what languages you use on your website.

Login Credentials allow you to tell the scanner how to log into your website if you’d like it to scan behind authentication.

Running a Manual Scan

If you’d like to run a manual scan, simply visit your Tinfoil Security Dashboard via one of the methods here.

Please note that there is a limit to the number of full scans you may run in a month. Running a manual scan may force a future scheduled scan to get cancelled. If you’d like to run more scans, you can upgrade your plan.

Receiving Results & Fixing Them

Once your scan has finished you receive an email with a summary of the results. To see the full results, visit the Tinfoil Security dashboard via one of the methods here. Click on the View Results button and it will walk you through the scan and what it found.

If you have deployed a fix for a vulnerability and would like to check it, hit the rescan button on the Tinfoil Security dashboard. The scanner quickly checks to make sure it’s really fixed and marks the issue accordingly. Go for the coveted “Safe & Secure” rating!

Canceling a Scan

If you’d like to cancel a running scan you may do so from the Tinfoil Security dashboard. Log into the Tinfoil Security dashboard via one of the methods here. Then select “View Progress” and then “Cancel”. This will immediately stop the scan, and traffic from the scanners will stop within the next few seconds.

Monitoring & Logging

Statistics and the current state of the Tinfoil Security Website Scanner are displayed via the dashboard.

Dashboard

For more information on the features available within the Tinfoil Security dashboard please see the documentation at support.tinfoilsecurity.com.

Migrating between plans

Application owners should carefully manage the migration timing to ensure proper application function during the migration process. A plan migration during a running scan will take effect when the next scan is run.